Cryptolocker examples and variants

“Any attempt to remove or damage this software will lead to the immediate destruction of the private key by server”

Here is an example of an actual ransomware message:

“Private key will be destroyed on: specified date”

“Your important files were encrypted on this computer: photos, videos, documents, etc. Here is a complete list of encrypted files, and you can personally verify this.”

“Encryption was produced using a unique public key RSA-2048 generated for this computer. To decrypt files you need to obtain the private key. ”

“The single copy of the private key , which will allow you to decrypt the files, located on a secret server on the internet; the server will destroy the key after a time specified in this window. After that nobody and neverwill be able to restore files…”

“To obtain the private key for this computer, which will automatically decrypt files, you need to pay 300 USD / 300 EUR / similar amount in another currency.”

About Ransomware

The Original form

The Cryptolocker (trojan) has been around for roughly three years now, entering the user’s system via an infected email attachment. It quickly scans the computer and mapped network drives encrypting important business data and files.

The virus then displays a message that in order to gain access back to all your data you will need to pay the ransom amount, generally $300 – 400 dollars. Usually through an online currency such as bitcoin.

There are claims that paying the ransom is the only way to get your files back, if you did not have a offline or off-site data backup in place. However there are also other claims that paying the ransom did not successfully un-encrypt all of their business data and files.

The good news is that international community joined forces to create a team of law enforcement agencies, tech firms and cyber security experts and caught the bad guys in 2014 in what is know as Operation Tovar.

Luckily security firms also intercepted a copy of the database used in the attacks, which helped them gain a better understanding of the true magnitude of the attacks and also allowed them to create keys to help users decrypt their files which is called Decrypt Cryptolocker. However it was possible that not all Cryptolocked files were able to be decrypted, including files encrypted by other ransomware variations. The site providing the keys is no longer active because that version of Cryptolocker Ransomware does not exist anymore. But new improved versions of ransomware are being discovered on a consistent basis.

The current form of Ransomware as described by the US-CERT and Homeland Security

Ransomware is often spread through phishing emails that contain malicious attachments or through drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and then malware is downloaded and installed without the user’s knowledge.

Crypto ransomware, a malware variant that encrypts files, is spread through similar methods and has also been spread through social media, such as Web-based instant messaging applications. Additionally, newer methods of ransomware infection have been observed. For example, vulnerable Web servers have been exploited as an entry point to gain access into an organization’s network. [reference]

Other types of messages displayed by Ransomware

“Your computer has been infected with a virus. Click here to resolve the issue.”

“Your computer was used to visit websites with illegal content. To unlock your computer, you must pay a $100 fine.”

“All files on your computer have been encrypted. You must pay this ransom within 72 hours to regain access to your data.”

Trend in ransomware cause for concern

Ransomware or ScreenLocker viruses that impersonate Law Enforcement and Government Agencies

Fake: Canadian Security Intelligence Service

Fake: United States Department of Justice

Fake: Federal Bureau of Investigations

Ransomware at home, in the workplace – no one is exempt

It is getting harder to distinguish the real from the fake, viruses are now using email spoofing and impersonating email addresses you might actually know. The attachments look like everyday documents with normal file extensions.

With all things connected these viruses are designed to discover opportunity and move rapidly through networks and systems and spread like wildfire encrypting files and covering its traces, living very comfortable and undiscovered for while until it thinks it has enough data encrypted to start making demands on your wallet urging you to purchase the key to decrypt your data, generally via an online currency.

New form of Ransomware Maktub Locker (dubbed beautiful)

The reason they care calling it beautiful is from the GUI design and other features. It comes as a email with a fake terms of service update brandishing two official looking Office document icons.

This virus actually shows you an Office document when opened. While the user is reading the fake document the virus runs in the background encrypting files. The Maktub Locker is also unique because it operates online and offline and is not dependent on being connected to a server, like other ransomware.

As the files are encrypted they are simultaneously compressed in size and the file extensions are changed.

The website for taking payment is getting some comments in regards to its design.

12 Things you can do today to prevent getting infected by ransomware

1.) Stop it at the source your first point of contact – Email

Slow down on your clicking and take a little more time to inspect your emails, read the details, attributes and characteristics carefully. Don’t click or follow web links in emails that you are unsure about.

Common things to look for when inspecting your emails to avoid ransomware infections

From sender address (ensure the domain matches the alleged company and sender in the email)

File attachments and the file extensions (look for uncommon extensions, even if the file icon looks like a real document you are used to seeing.)

Any phishy language demanding immediate action

Fake email updates from known companies and brands about changes and updates that might require you to click or download something.

The needing to sign-in and authenticate your account to avoid something from happening.

Security Policies or Group Policies that prevent opening links in email, or specified file types.

3.) Adjust the configuration of your spam and firewall settings

The options and features will vary depending on your particular email service and firewall. It will not hurt to review the current configuration, more than likely there are tweaks you can make that will help, increase protection that are better than the defaults.

4.) Keeping everything updated helps in reducing vulnerability

Web browsers

Operating Systems

Plugins, Extensions and Apps

Other Software (Office, Adobe, Etc)

5.) Have a Local backup plan

This generally consists of a specific group of folders that are backup up locally to a vault on your hard drive or better yet an external hard drive. The local backup works best if it encrypts and writes the data using compressed blocks through a file differential backup method, this way only changed data is backed up.

In addition creating local copies of the current system using a Window System Disk Imaging tool, this would allow you to recover the entire system from that image.

6.) Have an Off-Site backup plan

This method sends a securely encrypted copy of the local backup data to a cloud storage vault, ensuring that you have a safe restorable copy of your data, this can protect you from any type of data loss scenario.

7.) Stay informed and about what is going on with this problem

It’s easy to subscribe to various channel and have information sent to you directly:

9.) Avoid common Social Engineering traps

You might see email from a friend whose account has been hacked, they criminals will send emails to all of their contacts or leave messages on their social pages.

The messages may contain links or downloads that you are encouraged to look at or view.

The messages may be urgently asking for assistance or help claiming they have been robbed or some other tragic related activity.

The messages may be asking for donations or fundraising for a particular cause.

10.) Don’t trust borrowed USB drives

If you are getting data from one of you colleagues or contacts via the form of a portable USB drive, ensure you give it a quick virus scan before moving the files to your system. Some virus detection software has a feature that you can enable that will automatically scan a new drive for any problems as soon as it is plugged in.

11.) Use application whitelisting to prevent unauthorized software from performing tasks and running

With this method you are specifying only the intended software you deem as safe and necessary to run on your system, which can automatically stop problems from creeping up. There are different ways you can accomplish this either via third-party software or using the native built-in functionality of your operating system. The general idea is that you turn on or enable Parental Controls then create a new account that operates under the parameters you invoked for that new account (specifying allowed software to run related to that account). If a new program tries to run it will be flagged or blocked, and require an permission override.

12.) Avoid enabling macros on email attachments

Ransomware is now using macros from Word Office documents, an example is the “Locky” ransomware variant that disguised itself as an invoice.

The email subject line read: ATTN: Invoice J-98223146 with a message that says, “Please see the attached invoice (Microsoft Word Document) and remit payment according to the terms listed at the bottom of the invoice.“

Advanced preparation is the best plan

The advantage to this plan is that you are fully prepared, and you will have a fully functioning data recovery plan in place, before the problem exists.

In many cases the ideal backup plan consists of your backup data living in two storage vaults that are synchronized.

The first vault will be a copy off all your critical files that will exist and live on your local system or on an external hard drive or networked drive.

The second vault will be in a secure off-site site location, such as cloud storage or another remote server that hosts backups.

Settings and features to consider in a backup software solution

Ensure the solution has Retention settings you can configure, for instance you might want to set a retention period of 45 days, this would allow you essentially go back in time 45 days with your backup data, we use this feature in our re-brandable software backup client and server.

As a built in protection for people using WholesaleBackup software we have enabled a feature which will always retain two versions of a file (or the deleted version of a file) for the full retention period to ensure that there’s always a good copy of the file that can be restored.

You can build your very own Windows backup server using our server backup platform then provision enduser online backup clients branded with your company name. Your customers will have a local and online backup system where they can store their backup data in a local vault on their own machine in addition to having another backup storage vault on your Windows backup server.

We also provide a hybrid cloud backup platform that allows you to store customer data on very cheap cloud storage from Amazon S3 and Google cloud storage. This options does not require you to have your own server. All you have to do is provision the cloud backup clients with your company brand and logo, once they are installed and the selections are made for the files and folders to backup, the data will go through a de-duplication process to avoid duplicate files, then create file blocks which are encrypted for transmission which will be sent to your cloud storage vault.

Whether you choose to build your own backup server or create your own cloud backup clients, you can run and monitor your backup business from a web browser with the Backup Management Web Console, which centralizes all of your customers status, backups, settings and billings information. Our Partners, MSPs, VARs and resellers, call this the mission control center for their backup operations.